An inspection carried out by the European Data Protection Supervisor (EDPS) on the websites of major EU institutions and bodies revealed data protection and data security issues in seven out of the ten websites inspected. Each of the institutions concerned has received recommendations from the EDPS on how to ensure their websites are fully compliant with data protection rules and the relevant institutions have reacted swiftly to start rectifying the problems identified, the European Data Protection Supervisor said today.
Giovanni Buttarelli, EDPS, said: “The responses to this remote inspection have been reassuring. The EU institutions responsible for the most important websites have informed us of technical measures that they have implemented to significantly reduce the risks to security and privacy that were detected in our inspection. We have already received positive feedback from the inspected institutions concerning our recommendations and we expect to be able to confirm that all remaining issues are resolved in a follow-up inspection.”
The EDPS inspection concerned the data protection compliance of public web services, including websites, controlled by the EU institutions and bodies, excluding their social network presence. It assessed compliance with Regulation 2018/1725, which sets out the data protection rules for the EU institutions and bodies, the ePrivacy Directive 2002/57EC and the recommendations provided to EU institutions and bodies by the EDPS in his Guidelines on web services, published in 2016.
For the first wave of inspections, which took place in August 2018, the EDPS selected ten public websites, including those operated by the largest EU institutions and bodies and those that, due to the nature of their work, should apply special caution in their handling of personal data. Websites included those of the European Parliament, the shared website of the European Council and the Council of the European Union, the European Commission, the Court of Justice of the EU, Europol and the European Banking Authority. The EDPS also inspected the websites of the European Data Protection Board (EDPB), the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC 2018) and the EDPS website itself.
The inspection revealed that several of the websites were not compliant with the Regulation or with the ePrivacy Directive and did not follow the EDPS Guidelines on web services. One of the issues encountered was third-party tracking without prior consent. This is especially problematic in cases where the third-party concerned operates under a business model based on the profiling and subsequent behavioural targeting of website visitors. Other issues encountered included the use of trackers for web analytics without visitors’ prior consent and the submission of personal data collected through web forms using non-encrypted connections.
As a consequence of the EDPS’ inspection findings, all inspected EU institutions now provide secure HTTPS connections and have significantly reduced the number of third-party trackers they use. The inspection’s summary findings were presented by the EDPS and discussed with the network of Data Protection Officers in the EU institutions.
The EDPS will follow up on the efforts of the EU institutions inspected while also continuing website inspections in the months to come. The next wave of website inspections will focus on the most visited websites of the EU institutions and bodies.
The protection of personal data is a fundamental right guaranted by Article 8 of the EU Charter of Fundamental Rights. The specific rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725. These rules replaced those set out in Regulation (EC) No 45/2001 on 11 December 2018. The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising them on policies and legislation that affect privacy and personal data protection and cooperating with other supervisory authorities to ensure consistency in the protection of personal data.